Enforcement is key to fighting cybercrime

Leave law alone and feel more collars, MPs' report concludes

Analysis The publication of a review of Britain's cybercrime laws by an influential group of MPs and peers this week has been welcomed by the IT industry. Broad agreement with the All Party Internet Group's (APIG) conclusion that the Computer Misuse Act 1990 needs only minor reforms have been matched with widespread calls for tougher enforcement action against cybercriminals.

APIG concluded that the CMA had stood the test of time well. Although written before widespread use of the Internet its provisions covered most cyber crimes just as the Theft Act, for example, covers the theft of mobile phones and other devices not even dreamt of by the legislators who drafted that law. APIG limited its recommendation to the introduction of a specific new "denial of service" offence - a grey area in the current law - and tougher sentences for hackers convicted under Section One of the Act. MPs would also like to see steps to encourage private prosecutions of cybercrime offences.

Offences under Section One of the CMA, unauthorised access to computers, would be punishable by up to two years' imprisonment instead of just six months, if APIG's recommendations are taken up by the Home Office. The higher sentences would allow the UK to seek extradition of individuals suspected of Section One (hacking) offences. Penalties for offences under other sections of the Act - unauthorised access with intent to commit further offences (Section Two) and unauthorised modification of computer material (section Three) - would remain punishable by a maximum of five years' imprisonment.

A good start but more work needed

APIG's recommendations follow a public hearing with industry, Government and public figures in April into how the law could tackle the increase in computer crime. Security services firm Ubizen believes the proposed revisions should help clear up some of the grey areas that exist within the CMA, but that there is still more that should be done.

"The recommendation to increase length of sentencing under section one of the CMA to up to two years, and thus enable the UK to extradite cyber criminals from abroad, is definitely a step in the right direction," said Bart Vansevenant, director of European security strategies at Ubizen. "Many hacking groups operate out of countries in Eastern Europe, and it has been very difficult for the UK authorities to bring them to justice. Hackers in these countries have previously regarded the UK as a 'soft target', so it is good news that this issue is finally being addressed."

Other observers questioned whether tougher laws would have much effect on international hacking activity. Alan Lawson, research analyst at Butler Group, said: "Marginally increased powers for section one hacking offences and explicit denial of service offences may discourage 'joyrider' hackers and stimulate legal prosecutions but is not strong enough to prevent any significant illegal activity. Hardened criminals will continue to ignore the present legislation."

Act locally, think globally

Cybercrime is an international problem that requires an international response. Ubizen would also like to see improved integration of international computer crime laws, the promotion of increased public awareness of cybercrime threats (such as phishing) and California-style laws to oblige companies to tell their customers if confidential details have been accessed. "If companies are obliged to publish when consumers' details have been accessed, a culture of openness will evolve and it will become more acceptable to admit to being a victim of cybercrime," said Ubizen's Vansevenant.

Computer crimes are frequently online variants of established crimes, like fraud and blackmail. A failure to feel enough collars rather than a lack of applicable laws is blamed for the relative rarity of cybercrime prosecutions. The reluctance of victims of cybercrime to come forward is a big problem in this area.

Simon Janes, a former head of Scotland Yard's Computer Crime Unit, reckons that UK businesses typically only report five to seven per cent of all computer-based crimes to the police. "Around 93-95 per cent of all cybercrimes go unreported because companies rate unwanted publicity as potentially more damaging to their business than the incident itself. The report offers recommendations toward allowing private prosecutions however I believe that it should go one step further by facilitating and legitimising private cyber investigations," he said.

More resources needed but who will pay/

Janes, operations director of computer forensic firm ibas, and a witness to its inquiry, warns that the UK is facing a critical shortage of trained computer forensic investigators both within law enforcement and in the private sector.

"Whilst the report's recommendations on reforming the Computer Misuse Act are a welcome first step, I am disappointed The All Parliamentary Group has not offered any solution as to how resources can be increased for specialist training for law enforcement agencies," he said.

APIG also recommends a number of other initiatives to tackle new forms of computer-related crime such as "phishing" attacks and spyware. Sometimes it is appropriate to look outside the CMA in tackling cybercrime offences. Measures in the Fraud Bill expected in November, for example, will make it an offence to set up a bogus website prior to sending out phishing emails, a move that will make police action in this arena far more straightforward.

The MPs' recommendations were welcomed by the Home Office, which has announced its intention to review the CMA and bring forward amendments to the Act. Although APIG's report pushes the issue of cybercrime further up the political agenda it's still unclear if changes in computer crime legislation will be prioritised by the Home Office ahead of a general election, likely to take place in April or May next year. ®

APIG's Key Recommendations

Add a denial-of-service (DoS) offence to the Computer Misuse Act

Increase the tariff for CMA section One (hacking) offences from six months to two years

Ensure that the Director of Public Prosecutions (DPP) "sets out a permissive policy for private prosecutions" under the CMA

Provide educational material about the Computer Misuse Act (CMA) on the Home Office website

Improve information on cybercrime by using statistical sampling to more accurately estimate levels of computer crime

Introduce a new Fraud Bill - reforming the law on fraud rather than computer crime might be a better way to deal with some offences